The only method I can seem to find to add a certificate for secure LDAP (LDAP/S) for Azure Active Directory Domain Services is to upload the certificate from my local computer. This seems like a very poor key management solution when Microsoft Azure Key Vaults is available for creating and storing key pairs and certificates. Am I missing something? Is there a way to directly use a certificate and key pair from a Key Vault or must I download these from a Key Vault and then upload them for LDAP/S? Best PKI practices dictate that I never access the private key directly.
Asked
Active
Viewed 471 times
1 Answers
0
From Microsoft Support having asked the same question I've posted here:
Hello Scott,
Thank you for contacting Microsoft Support. My name is David Solano. I am the Support Professional who will be working with you on this Service Request. You may reach me using the contact information listed below, referencing the SR number 11*******000***.
According to your issue description, I understand you need to know a way to directly use a certificate and key pair from a Key Vault for secure LDAP (LDAP/S).
In this case, I would like to explain you that at the moment the only method to add a certificate for secure LDAP for Azure Active Directory Domain Services is to upload the certificate from your local computer as it explains on this Microsoft article on how to configure secure LDAP for your managed domain: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps.
Additionally, we cannot use use a certificate and key pair directly from a Key Vault for secure LDAP. It would be required to download the private key and upload it to your local computer following the instructions provided above.
Also, if you need to know how to download this private key from KeyVault with a PFX password, you can run this script on PowerShell:
Login-AzureRmAccount
$vaultName = "<NameOfKeyVault>"$vaultName = "<NameOfKeyVault>"
$keyVaultSecretName = "<NameOfTheSecretWhereCertificateIsStored>"
$secret = Get-AzureKeyVaultSecret -VaultName $VaultName -Name $keyVaultSecretName
$pfxCertObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @([Convert]::FromBase64String($secret.SecretValueText),"",[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$pfxPassword = -join ((65..90) + (97..122) + (48..57) | Get-Random -Count 50 | % {[char]$_})
$currentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[Environment]::CurrentDirectory = (Get-Location -PSProvider FileSystem).ProviderPath
[io.file]::WriteAllBytes(".\KeyVaultCertificate.pfx", $pfxCertObject.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $pfxPassword))
Write-Host "Created an App Service Certificate copy at: $currentDirectory\KeyVaultCertificate.pfx"
Write-Warning "For security reasons, do not store the PFX password. Use it directly from the console as required."
Write-Host "PFX password: $pfxPassword"
If you have any questions or concerns, please let me know.
Best Regards,
David Solano | Support Engineer | Azure Support
Email: v-*****@microsoft.com | Manager: v-*****@microsoft.com
Working hours: 7:30 AM – 4:30 PM (M-F) MDT| Local Time
To reach Azure Support outside of my working hours, please email azurebu@microsoft.com with your support request number.
Ah, well.
Scott
- 60
- 1
- 9